LinkedIn bolsters security while some users ignore breach

After LinkedIn sent out millions of emails urging users to update their account information following last week's data breach that resulted in some 6.5 million compromised passwords, many of the messages were mistakenly designated as spam.

According to a Tuesday blog post from messaging security firm Cloudmark, more than four percent of the emails received by the LinkedIn users -- totaling nearly a quarter of a million -- were tagged as junk mail by recipients.

Cloudmark classifies messages with signatures so it can update its spam filtering system. A specific signature was assigned to the LinkedIn message, which allowed researchers to estimate how many marked as spam.

While most believed they were doing the right thing, users who did signal spam are now clueless that they have a compromised password, Andrew Conway, a Cloudmark researcher, told SCMagazine.com on Wednesday.

"LinkedIn tends to send out a lot of messages that people don't want to read," Conway said.

The emails were legitimate, included a digital signature, addressed users personally and didn't contain a suspicious link.

But, Conway said, "LinkedIn should be more careful about the general emails that they send to people so users pay attention when the company has something to say."

On Tuesday, the business-networking website announced additional security layers, following one of the largest password heists in recent memory.

A blog post from the company confirmed that in addition to the initial layer of encryption it already was using -- the cryptographic hash function SHA-1 -- its users' passwords are now salted, a technique which randomly appends a string of characters, providing additional security.

“At this time, LinkedIn cannot release any further information in order to protect our members and due to the ongoing investigation,” the post said. “For security reasons we cannot discuss certain details of our ongoing security upgrades.”

The encryption previously applied to the passwords did not provide the level of security needed, Patrick Townsend, founder and CEO of Townsend Security. told SCMagazine.com on Wednesday. He believes that SHA-1 is weak, and that a more adequate cryptographic hash function would be an upgrade to SHA-256, which doesn't have the mathematical weaknesses of its predecessor.

"Organizations with huge amounts of sensitive data are not spending the time needed to implement certified solutions," Townsend said.

But he applauded LinkedIn's overtness.

“When you have a security event, it's better to move quickly and be transparent,” he said. “When it happens, it's usually a surprise and most people aren't ready to respond as soon as they need to.”